| Summary: | SELinux is preventing NetworkManager from using the sys_module capability | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ralgh <bugs2rl> | ||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | awilliam, dcbw, dwalsh, satellitgo | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i686 | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-08-02 06:25:09 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
This is my first bugreport Dan; this may have gotten fixed; no idea. If this permission is what I think it is, NM does attempt to insmod a few things like ppp_generic and a bunch of iptables modules used for NAT. We have this fixed in the next releases of Fedora. Also F13 is not longer supported. Could update to a newer version of Fedora? You can dontaudit it using # grep NetworkManager /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp Thank you for commenting. Now i also installed Fedora 15 and the connection worked fine until the NetworkManager broke down. I'm using a GPRS/Edge/3G USB modem (ppp0). But like i wrote: This is my first bugreport, so don't waste your time thinking about my problems, i was only trying to learn how to write a bugreport first, thinking that maybe it could be of interest. ---------------------------- (In reply to comment #3) > We have this fixed in the next releases of Fedora. Also F13 is not longer > supported. Could update to a newer version of Fedora? > I did now, but i had some problems with F15 (i had to install it twice, after working quite fine at first (Gnome3) the NetworkManager broke down (USB HSDPA mobile connection)), now updated to "release 17 (Rawhide)"), my updated F13 seems to be more stable > You can dontaudit it using > > # grep NetworkManager /var/log/audit/audit.log | audit2allow -D -M mypol > # semodule -i mypol.pp What's 'dontaudit'? ---------------------------- ----------------------------
Now i have another problem: PackageKit is not working anymore
("Distro version: Fedora release 17 (Rawhide)
PackageKit version: 0.6.17
PackageKit Process Information:
root 1899 0.0 0.5 29548 5344 ? Sl 12:02 0:00 /usr/libexec/packagekitd)"):
Error message: "RepoError: database disk image is malformed"
----------------------------
Ralgh, please use Community support for Fedora users <users.org> For these questions, they should not be in bugzilla, unless they are real bugs. (In reply to comment #7) > Ralgh, please use > Community support for Fedora users <users.org> > For these questions, they should not be in bugzilla, unless they are real bugs. Thank you, Daniel, i didn't realize that. But users.org is a mail address, not an address of a recommended bug report page! Anyway, i think you meant me to go to https://admin.fedoraproject.org/mailman/listinfo/users instead of. Yet to my opinion the pages https://bugzilla.redhat.com are far more helpful. r. :-| |
Created attachment 516037 [details] Fedora 13 SELinux Bugreport SELinux is preventing /usr/sbin/NetworkManager from using the sys_module capability. ***** Plugin sys_module (99.5 confidence) suggests ************************* If you do not believe that /usr/sbin/NetworkManager should be attempting to modify the kernel by loading a kernel module. Then a process might be attempting to hack into your system. Do contact your security administrator and report this issue. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that NetworkManager should have the sys_module capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:NetworkManager_t:s0 Zielkontext system_u:system_r:NetworkManager_t:s0 Zielobjekte Unknown [ capability ] Quelle NetworkManager Quellpfad /usr/sbin/NetworkManager Port <Unbekannt> Host (removed) RPM-Pakete der Quelle NetworkManager-0.8.4-1.fc13 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-101.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Rechnername (removed) Plattform Linux localhost.localdomain 2.6.34.9-69.fc13.i686 #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686 Anzahl der Alarme 9 Zuerst gesehen So 31 Jul 2011 18:41:51 CEST Zuletzt gesehen So 31 Jul 2011 22:33:29 CEST Lokale ID db525607-8994-4892-8a18-a861f2b87a5e Raw-Audit-Meldungen type=AVC msg=audit(1312144409.74:40): avc: denied { sys_module } for pid=1237 comm="NetworkManager" capability=16 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability type=SYSCALL msg=audit(1312144409.74:40): arch=i386 syscall=ioctl success=no exit=ENODEV a0=12 a1=8915 a2=bf91a54c a3=bf91a54c items=0 ppid=1 pid=1237 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: NetworkManager,NetworkManager_t,NetworkManager_t,capability,sys_module audit2allow #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module;